Security issues are important in radio communication systems. The use of encryption and authentication mechanisms certainly improves the security of radio communication systems, but it is still possible to find vulnerabilities due to the way that networking protocols operate. A definite weakness is the common address resolution protocol (ARP) that Transmission Control Protocol/Internet Protocol (TCP/IP) networks utilize. A hacker with the right tools can exploit ARP and pretend to be somebody else in a radio communication network, such as a wireless local area network (WLAN).
ARP is a crucial function used by a sending wireless or wired network devices to discover the physical address or the Layer 2 address (as referred to as the OSI model) of a destination device. The Layer 2 address of a device is, for instance, the medium access control (MAC) address, which is embedded in the device by the manufacturer and is unique from any other device or network component. The sending device needs to know the Layer 2 address of the destination in order to establish a communication session with the destination, since the sending device only understands and responds to the Layer 2 address.
The application software that needs to send the data will have a Layer 3 address, such as an IP address of the destination, but the sending device has to use ARP to discover the corresponding Layer 2 address. It obtains the Layer 2 address by broadcasting an ARP request packet that announces the Layer 3 address of the destination device.
All devices will hear this request, and the device having the corresponding Layer 3 address will return an ARP response packet containing its Layer 2 and 3 addresses. The sending device will then include this Layer 2 address as the destination address in the frame being sent. The sending device also stores the corresponding Layer 3 address and Layer 2 address mapping in a table for a period of time or until the device receives another ARP response from the station having that Layer 3 address.
A problem with ARP is that it introduces a security risk resulting from ARP spoofing, i.e. the creation of IP packets with a forged (spoofed) source IP address. For instance, a hacker can fool a device by sending from a rogue network device a fictitious ARP response that includes the IP address of a legitimate network device, such as a wireless access point or router, and the MAC address of the rogue device. This causes the legitimate stations in the network to automatically update their ARP tables with the false mapping.
As a consequence, these devices will then send future packets to the rogue device rather than the legitimate access point or router. This is a classic so called man-in-the-middle attack, which enables a hacker to manipulate user sessions. As a result, the hacker can capture sensitive data, obtain passwords and even interface with corporate servers as if they were the legitimate user.
In order to circumvent ARP spoofing, a so called secure ARP (SARP) has been implemented. This enhancement to ARP provides a special secure tunnel between each client and the router or wireless access point, which ignores any ARP responses not associated with the clients on the other end of the secure tunnels. Thus, only legitimate ARP responses provide the basis for updating ARP tables. The devices implementing SARP are free from spoofing.
However, the drawback of the SARP solution is that it still requires the use of ARP and the use of SARP requires the installation of special software on each client. From this reason, SARP is not practical, e.g. for public hotspots. Furthermore, the SARP does not provide means for preventing spoofing of dynamic host configuration protocol (DHCP) and domain name system (DNS) servers.